Frequently Asked Questions

How do you configure ZAP logging?

ZAP logs to a file called “zap.log” in the ZAP ‘home’ directory.

The logging is configured by the log4j2.properties file in the same directory.

By default the ‘main’ logging levels are set to info by these lines:

logger.paros.name = org.parosproxy.paros
logger.paros.level = info

logger.zap.name = org.zaproxy.zap
logger.zap.level = info

Changing these to debug (and restarting ZAP) will significantly increase the amount of logging performed:

logger.paros.name = org.parosproxy.paros
logger.paros.level = debug

logger.zap.name = org.zaproxy.zap
logger.zap.level = debug

Logging can be selectively enabled using a Stand Alone script while ZAP is running (the example below is a JavaScript script):

var Configurator = Java.type("org.apache.logging.log4j.core.config.Configurator");
var Level = Java.type("org.apache.logging.log4j.Level");

// https://logging.apache.org/log4j/2.x/javadoc.html
Configurator.setLevel({
  // The following will enable DEBUG logging for the API
  "org.zaproxy.zap.extension.api.API" : Level.DEBUG,
  // The following will enable DEBUG logging for the Session Fixation scan rule
  "org.zaproxy.zap.extension.ascanrulesBeta.SessionFixationScanRule" : Level.DEBUG,
  // The following will enable DEBUG logging for the spider add-on
  "org.zaproxy.addon.spider" : Level.DEBUG,
});